Blog postsLiveclicker

What Liveclicker is Doing to Prepare for the GDPR, and How You Can, Too

The GDPR is coming, and many companies are scrambling to do all they can to prepare now.

For more information, you can review our previous article on GDPR compliance or request Liveclicker’s GDPR Overview document from your Liveclicker account development manager or sales rep, as appropriate. Both contain many valuable tips, strategies, and best practices to get ready for this regulation.

In this article, we highlight the many things we’ve done to prepare for the GDPR and comply with its many requirements. We believe this helps our clients solidify their own compliance efforts, and at the same time, hopefully it gives you even more information.

Overview: What is the GDPR?

First though: What is the GDPR, and why is it so important?

The General Data Protection Regulation (GDPR) is a regulation that is intended to strengthen and unify data protection and privacy controls for all individuals within the European Union (EU) by mandating stricter data collection and storage practices.

GDPR will be legally binding and enforceable beginning May 25, 2018 and will have costly penalties for those companies that fail to comply. For example, any organization that has a presence in the EU or the UK could face a fine of €20M or four percent of total revenue (whichever is higher) for non-adherence to the core principles of processing personal data, infringement of the rights of data subjects, or the transfer of personal data to countries or organizations that do not ensure an adequate level of data protection.

If your company does business with citizens in the EU, GDPR could definitely affect your organization. Yet GDPR is not just a concern for organizations based in European countries. For example, U.S. laws now allow EU countries to create class-action lawsuits against U.S. companies, which may have to be defended in each country. Additionally, 29 U.S. states now have similar laws and can impose fines within 30 days of a breach where personally identifiable information (PII) is lost or exposed. 

What has Liveclicker done to comply with the GDPR?

We have already taken extensive steps to maximize our compliance with this new legislation, including:

Legal and process measures:

  • • Created GDPR-friendly contract amendments. Any client that believes it will be impacted by GDPR is able to use a friendly amendment template to ensure its contract with Liveclicker is GDPR-compliant.
  • • Updated our information security policy. The information security policy is available under NDA to any client or prospective Liveclicker client. The policy contains updated verbiage on data collection and retention practices as mandated by GDPR and updates language within the policy to be compliant with the GDPR requirements.
  • • Implemented GDPR-friendly contracts. All Liveclicker contracts contain language to ensure compliance with the GDPR standards for Data Processors.
  • • Documented vendors and subcontractor policies and executed subprocessor agreements where needed. Liveclicker developed a list of vendors and subcontractors we work with to store and process data (e.g., Amazon Web Services), evaluated their privacy and data collection policies, and documented those policies to ensure compliance with GDPR. Additionally, as mandated by the GDPR, we have executed data subprocessor agreements where needed.
  • • Updated privacy policy. The privacy policy has been updated to ensure it is GDPR compliant, including addressing in clear and plain language how Liveclicker processes Data Subject data.
  • • Enrolled in Privacy Shield. Privacy Shield is a US-EU privacy framework that ensures EU privacy standards are upheld when the personal data of EU citizens is processed in the US.
  • • Appointed a Data Protection Officer (DPO). While not a requirement for data processors under the GDPR, as an extra precaution, Liveclicker has appointed its own DPO, who serves as a central point of contact for all GDPR and information security-related requests including requests to erase Data Subject data.

Technical measures:

Additionally, we have implemented the following technical measures:

  • • Created a technical process to ensure Data Subject data can be erased. Requests from Data Subjects (the organization’s customers) to Data Controllers (the organization) to permanently delete personal data can be processed by Liveclicker through the use of new automated technical measures, making compliance for Data Controllers a simple process.
  • • Modified the way data is retained to achieve compliance.  We have taken extensive technical steps to ensure personal data of Data Subjects is processed and retained in a manner that is compliant with the GDPR.
  • • Developed an approach to audit and create new data-processing mechanisms. When Liveclicker must process the personal data of Data Subjects in accordance with Data Controller instructions, we do so in a way that a) provides control to Data Controllers and b) is done so in a GDPR-compliant manner.

Interested in learning more? To access all of our GDPR information, please contact your Liveclicker account development manager or sales rep, as appropriate.